MC1323263 – Microsoft Defender for Office 365: ZAP expands cleanup to Deleted Items

Product:

Defender, Defender for Office 365, Defender XDR, Exchange, Outlook

Platform:

Online, US Instances, Web, World tenant

Status:

Change type:

Feature update, User impact, Admin impact

Links:

Details:

Summary:
Zero-hour Auto Purge (ZAP) in Microsoft Defender for Office 365 will now scan and remediate malicious emails in users' Deleted Items folders, enhancing post-delivery protection without new policies. Rollout starts June 2026, affecting all tenants with ZAP enabled, with no user experience changes or required actions.

Details:
[What and Why:]
We are extending Zero-hour Auto Purge (ZAP) in Microsoft Defender for Office 365 to scan and remediate malicious messages located in users' Deleted Items folders. This enhancement strengthens post-delivery protection by ensuring phishing, spam, and malware messages are removed even after a user deletes or reports them, improving overall tenant security without introducing new policies or configuration.
[Rollout Schedule:]
General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out in early June 2026 and expect to complete by late July 2026.
[Impact on Your Organization:]
Who is affected:
All tenants using Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 with ZAP enabled
Platforms/Services:
Exchange Online
Microsoft Defender for Office 365
Outlook (desktop, web, mobile)
What will happen:
ZAP will retroactively scan and take action on malicious messages found in the Deleted Items folder within the ZAP detection window.
This includes messages that were:
Reported by users as phishing
Automatically moved after accepting calendar invitations
Manually deleted by users
Messages identified as malicious will follow existing policy actions (for example, move to Junk, quarantine).
No new policies, actions, or configuration settings are introduced.
Admins will see additional ZAP activity in existing reports and alerts.
A new SourceLocation column will be added to the EmailPostDeliveryEvents table in Advanced Hunting to indicate the originating folder (for example, DeletedItems).
User experience remains unchanged.
[Action Required / Recommendations:]
No action is required.
This change is enabled by default and respects your existing anti-spam, anti-phishing, and anti-malware policies.
Recommended actions for admins:
Review existing ZAP-related reporting in Mail flow status and Threat Explorer to help your Security Operations Center (SOC) become familiar with the additional activity.
Update internal security documentation or helpdesk guidance to note that Deleted Items are now included in ZAP remediation.
Learn more: Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 | Microsoft Learn
[Compliance Considerations:]
Compliance QuestionExplanation
Does the change alter how existing customer data is processed, stored, or accessed?ZAP will now process and take action on emails located in the Deleted Items folder.

Does the change alter how admins can monitor, report on, or demonstrate compliance activities?Additional ZAP actions will appear in existing reports, and a new SourceLocation field is added to Advanced Hunting to improve auditability and investigation accuracy.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2026-05-27

updated:
2026-05-27

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Increased Security Risks
If ZAP is not properly communicated, users may unknowingly believe that deleted emails are permanently removed, leading to potential security risks if malicious emails are not recognized.
   - roles: End Users, Security Administrators
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

User Confusion
Users may be confused about the status of their deleted emails, thinking they are permanently gone when they are still subject to scanning, potentially leading to misunderstandings about email management.
   - roles: End Users, Helpdesk Staff
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

Increased Administrative Workload
Admins may face an increased workload in monitoring and reporting due to additional ZAP activity, which could lead to resource strain if not prepared for the changes.
   - roles: Security Administrators, IT Support Staff
   - references: https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only